From 2d17fde8f1e2d0fc616bcc423c7a77ac12c52e51 Mon Sep 17 00:00:00 2001
From: Daniel Volz <mail@danielvolz.org>
Date: Tue, 30 Dec 2025 13:13:49 +0100
Subject: [PATCH] ci: add explicit permissions to all workflow jobs

---
 .github/workflows/codeql.yml       | 1 +
 .github/workflows/docker-build.yml | 4 ++++
 .github/workflows/test.yml         | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index abc0ffb..d72b6ba 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -7,6 +7,7 @@ on:
     branches: [main]
   schedule:
     - cron: "0 6 * * 1" # Weekly on Monday at 6am UTC
+  workflow_dispatch: # Allow manual trigger
 
 jobs:
   analyze:
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 3b6ed7c..e537d5d 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -25,6 +25,8 @@ jobs:
   backend-test:
     name: Backend Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: backend
@@ -42,6 +44,8 @@ jobs:
   frontend-build:
     name: Frontend Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: frontend
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c85299f..cc75234 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,6 +15,8 @@ jobs:
   backend-test:
     name: Backend Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: backend
@@ -53,6 +55,8 @@ jobs:
   frontend-build:
     name: Frontend Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         working-directory: frontend